The most important of the patched vulnerabilities was a sandbox escape in Pepper Plugin API (PPAPI), the cross-platform API for Native Client-secured web browser plugins. Google classified the vulnerability, discovered by Pinkie Pie who earned $15,000, as high risk.

Another high risk hole was a URL spoofing on iOS. Researcher xisigr of Tencent’s Xuanwu Lab found the vulnerability and picked up a $3,000 bounty.

The remaining nine high severity flaws include a use-after-free in extensions, a heap-buffer-overflow in sfntly, same-origin bypass in Blink, use-after-free in Blink, same-origin bypass in V8, memory corruption in V8, URL spoofing, and use-after-free in libxml.